[Openswan dev] Question about UDP in ESP encapsulation in Openswan
Paul Wouters
paul at xelerance.com
Tue Oct 26 15:52:18 EDT 2010
On Tue, 26 Oct 2010, Kevin Wilson wrote:
> As far as I understand, when adding nat-traversal=yes to ipsec.conf
> and when both sides are behind NAT,
If one or both sides are behind NAT.
> As far as I understand, openswan usespace pluto daemon is opening
> sockets and sends these two types packets.
Correct.
> My question is about regular traffic
> This traffic also should have UDP encapsulation for NAT-T ; who
> performs this ?
The kernel. Either the XFRM NAT-T hooks (netkey and klips on linux > 2.6.22)
or the KLIPS NAT-T patch (linux <= 2.6.22)
> is it a job done by the kernel ? who tells the kernel
> that the traffic should be UDP encapsulated for NAT-T ? or is it done
> by openswan (I believe it ain't so).
Yes, the socket is marked as UDP_ENCAP using a setsockopt.
> 1) Where in the kernel such encapsulation is done ?
old style: net/ipv4/udp.c
new style: via xfrm hook in net/ipv4/udp.c
Paul
More information about the Dev
mailing list